This chapter is from the book

If you have already read the wireless penetration testing section of the template in Appendix G, you will find that this chapter is a more detailed walk-through. If you understand how WLANs work, comprehend the general
wireless security principles, and have researched both tools of the trade and test and attack planning chapters, you might
skip this one. Otherwise, stay with us and read the answers to your questions.

The Easiest Way to Get in

The first thing any attacker looks for is "low-hanging fruit." An inexperienced attacker will search for it because he or
she can't get into anything else, whereas an experienced Black Hat will look for it to save time and to be sure that (unless
it's a honeypot) no IDS and egress filtering is present and hosts on the network are easy to break into for further backdoor planting. Despite the
opinion of a few "security experts," the amount of wide-open wireless networks is incredible. By "wide open" we mean no WEP,
no MAC filtering, no closed ESSID, no protocol filtering, and most likely AP management interface accessible from the WLAN. There are a variety of reasons why this situation exists, the major one being the users' (or even system administrators') laziness and ignorance. When attacking such networks, a cracker has only three main concerns: physical
network reachability, connectivity to the Internet, and the (rare) possibility of a honeypot trap. Let's explore each in further
detail.

Physical network reachability: Even if a network is wide open, it is no good (for a cracker) if the only way to connect to
it is to sit with a laptop right under the office window.

Connectivity to the Internet: Is it present and how "fat" is the "pipe"?

Honeypot trap: Is trouble on the way?

The first issue, reachability, is addressed by a high-gain antenna. A high-gain omnidirectional might look like a walking
stick or a pool cue and will not raise any suspicions. The majority of Yagis can pass for poster holders and even the directional
dishes would not surprise anyone as long as the cracker passes himself or herself off as telecom engineer troubleshooting
a link or even an amateur radio enthusiast. It is truly amazing when you sit in the park with a huge antenna in the middle
of nowhere and present yourself as a university student doing research. The second issue, connectivity, can be sorted via
multiple means; for example, by looking at the DHCP traffic present, a gateway IP would be shown. We have to admit, we like Ettercap. Press "p/P" for the Ettercap plug-ins available.
The plug-in that discovers LAN gateways is called triton. The last issue, the honeypot trap, is difficult to solve. Use your intuition and skill to determine
whether this low-hanging fruit is poisoned. Looking for sniffers helps; check out the hunter plug-in in Ettercap (Figure 8-1).